Inside DoD crime lab
Inside the DoD's crime lab
Digital evidence comes in all shapes and sizes: pallets full of
computers, a hard drive with an AK-47 bullet hole in it, audio tapes
fished out of the ocean, mangled floppies, garbled 911 calls.
Whenever U.S. government agencies investigating a crime or a
cybercrime has digital evidence that's too difficult to analyze, they
send it to the Department of Defense computer forensics lab.
The evidence can arrive in a military vehicle, via FedEx or through
the U.S. Postal Service. However it gets there, it's accepted at the
loading dock of an unmarked commercial building on the outskirts of
Baltimore.
It's then logged and sent to an evidence custodian, who inventories,
tags and stores it in a locked cage.
Network World was invited into the Defense Computer Forensics Lab
(DCFL) for an inside look at how computer investigators at the cutting
edge are using digital evidence to help solve crimes.
The purpose of the lab is to analyze evidence gathered at crime scenes
involving the military. Whatever crimes occur in the civilian world,
you also see in the military. It could be homicide, child pornography,
identity theft, counterfeiting, misconduct, terrorism, espionage,
contractor fraud or misuse of government property.
With these crimes, there's often digital evidence in cell phones,
pagers, PDAs, geo-mapping systems, digital cameras, cockpit recording
systems and anything else with flash memory or ROM.
"We estimate that 95% of criminals leave digital evidence at the
scene," says Donald Flynn, attorney adviser for the Defense Department
Cyber Crime Center, which houses the DCFL.
That evidence must be able to stand up in court, particularly now that
judges and attorneys are becoming savvy enough to start asking
questions about the integrity of digital evidence. The DCFL addresses
this through rigorous training and advanced tools such as certified,
high-capacity extraction and imaging processes and tools.
Inside the lab
My tour guide at the high-security lab pushed a button at the
double-door entryway into the lab that triggered blue ceiling lights,
which blinked incessantly to alert technicians that unclassified
visitors were on the premises.
The lab includes your standard office cubicles, but every cube is
outfitted with state-of-the-art processors, multi-system server stacks
and 42-inch flat-screen monitors.
"Some of the evidence comes in on pallets - cases full of servers,
CPUs, RAID disk arrays, floppy diskettes, Palm Pilots, digital
cameras," says special agent Bob Renko, director of operations for the
lab. "We've even gotten evidence in buckets of water - for example,
video tapes recovered from jets crashing into the sea during training
exercises."
The first stage in evidence extraction is digital imaging. This is
trickier than it sounds because contents can be altered in the process
- such as adding a date stamp when copying a hard drive, thus tainting
the evidence and rendering it inadmissible.
Then there's the sheer volume of data. In 1999, analysts examined
their first terabyte-sized case when they received a palette of
computers belonging to a defense contractor accused of violating
Environmental Protection Agency guidelines in its handling of toxic
waste. If analysts had tried to use technology that copied and
examined one drive at a time, they still would be investigating that
case, says the lab's director, Lt. Col. Ken Zatyko, special agent with
the Air Force Office of Special Investigation.
So analysts created their own script, which moves images of all the
media into one place. In this location, searching and extraction is
conducted across all the data simultaneously using the same search
phrase.
Last month,the lab received several palettes, containing more than 3T
bytes of data to image and extract. The evidence, which filled a
20-by-10-foot windowless room, required its own storage-area network .
The recovery process begins with entry-level technicians checking
evidence out of lockup. Then they create bit-stream mirror images onto
cleaned hard drives to prevent contamination.
They make the copies using a modified Linux tool dubbed DCFL Data
Dump. The tool is akin to private-sector imaging tools such as
SafeBack, which takes a mathematical hash of the image and compares it
to the original hash to prove the image is an exact replica.
Crimes and misdemeanors
The busiest unit in the lab is Major Crimes and Safety, which handles
criminal cases involving digital media. The forensic analysts in this
unit work in open cubicles, each with two Windows 2000 workstations,
one to search the imaged data and another to store recovered evidence
or for when they're working two cases at once.
Renko says the agency's extraction tools work in a forensically sound
manner across computers and PDAs, but become problematic when it comes
to cell phones and pagers.
"At least one time, we've had to work directly with the telephone
manufacturer to successfully retrieve data," he says.
For computer examinations, the agency's standard data search and
extraction suite of tools is called iLook, which is licensed by the
Treasury Department. A private-sector equivalent would be EnCase.
Bill (for security reasons, analysts are only allowed to give their
first names) is an advanced forensics examiner and former metropolitan
detective in Washington, D.C. He explains how the tool conducts
keyword searches, and reassembles damaged and erased files, e-mails,
attachments, temporary Internet files, data files and renamed files
into a list of searchable files.
"Say you have a contractor using sub-standard explosive bolts, which
are critical to pilot safety because they're what makes the cockpit
lid fly off in an emergency ejection. We know the cost of quality
bolts should be about $100. We can do keyword searches through their
accounting systems on 'explosive bolts,' to see what they're actually
paying for them," Bill says. "Or, if we have a child porn case, we can
order up a thumbnail view of all Internet cached files across multiple
drives to see what's been downloaded."
As Bill finishes talking, a long list of files appears in the search
window of his workstation. Six suspicious files are highlighted in
yellow, indicating that the search phrases were found in those files.
Hardware magicians
Shortly after it became operational in 1998, the lab received a
classified hard drive that seemed impossibly damaged. An outside firm
estimated it would cost $250,000 to repair. Renko balked.
"We figured it was more feasible to train our own people to repair
hard drives," Renko says, while pointing out lockers where evidence is
stored when not being processing.
He stops in a small room with two Plexiglas-enclosed clean areas where
technicians have soldered mutilated floppies and repaired hard drives
that have been thrown off balconies and even shot with AK-47s, as in
one recent battlefield case. The data where the bullet holes and
solder marks are can't be recovered, but the rest can, Zatyko says.
The intrusion-analysis squad occupies the rear section of the lab,
where examiners, who work primarily on Linux systems, investigate
hacks on Defense Department networks.
"Our first job is to find out how the computer was intruded upon and
what data was accessed by the intruder," says "Sig," who was recruited
from his job as head of information security for a university. "For
the information assurance part, we tell our client agencies what their
entry point was and what needs to be patched to protect from future
hacks."
Sig pulls up an advanced tool named Starlight. A multi-colored,
three-dimensional map pops up: Each of its lines represent a separate
connection made into the defense network and each color representing a
different protocol.
"We've had entire underground hacker ISPs coming at us," Sig explains.
Color-coding protocols makes it easier to determine which computer is
sending which attack. "For example, the exploit in this case ran over
HTTPS, so we color-coded all the HTTP proxy traffic in red. Then we
can see that three of these IPs coming at us are involved in that type
of traffic," he says.
In this case, the hackers were caught and prosecuted, and the entire
hacking group disappeared from the Internet underground, he says.
As examiners trace hackers back to different hops and examine those
boxes, they run into new variants of hacker tools stored on those
computers that haven't been reported by tracking services such as CERT
and Bugtraq.
The new hacker tools are added to the unit's malicious logic database,
which will then detect them if they're used in future cases.
Furthermore, the database helps analysts spot similarities when
multiple attacks are hitting different Defense Department networks at
the same time, indicative of a large-scale attack by one source. Such
cases are then reported to the Joint Task Force on Computer Network
Operations.
In recent months, law enforcement agents from Australia, Canada,
Germany, Hong Kong, Singapore, the U.K. and other nations have toured
the facility to better develop their own cybercrime units. U.S.
attorneys, judges and law enforcement agencies also frequently call
for technical clarification. (For example, a recent call came in from
a judge who needed to know the difference between evidence recovered
from a cached memory vs. evidence found in a file on the hard drive.)
As more cases involve digital evidence, the need for sophisticated
digital forensics capability throughout the legal system will continue
to grow, says Gail Thackery, U.S. Attorney for the state of Arizona.
Thackery has prosecuted a number of computer-related crime cases and
teaches at ACIS International Association of Computer Investigative
Specialists.
"Police used to worry about guns and blood and chemical evidence, but
now every case in America has a computer involved in it. The legal
system is hungry for experts at digital evidence," she says.
"So computer forensics training and careers are going to be hot for a
long time," she adds.
